Mitigate libvirt: error : unable to set AppArmor profile 'libvirt-<vm-uuid>' for '/usr/bin/kvm-spice': No such file or directory
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Ubuntu Cloud Archive |
Fix Released
|
Undecided
|
Unassigned | ||
Queens |
Fix Released
|
Undecided
|
Unassigned | ||
Stein |
Fix Released
|
Undecided
|
Unassigned | ||
Ussuri |
Fix Released
|
Undecided
|
Unassigned | ||
libvirt (Ubuntu) |
Fix Released
|
Medium
|
Unassigned | ||
Bionic |
Fix Released
|
Medium
|
Christian Ehrhardt | ||
Focal |
Fix Released
|
Medium
|
Christian Ehrhardt | ||
Hirsute |
Fix Released
|
Medium
|
Christian Ehrhardt | ||
Impish |
Fix Released
|
Medium
|
Christian Ehrhardt | ||
Jammy |
Fix Released
|
Medium
|
Unassigned |
Bug Description
[Impact]
Some times libvirt fails to start a vm with the following error :
libvirt: error : unable to set AppArmor profile 'libvirt-
This happens because for some reason the apparmor profile for the guest /etc/apparmor.
We do not now why the above file gets truncated to begin with and therefore we do not know the root cause to fix it there. But the condition is easy to detect and 100% broken, so we can detect and recreate the file in those cases.
[Test case]
To reproduce this behaviour, create a vm and stop it, note the uuid.
For example:
$ uvt-simplestrea
$ uvt-kvm create --password=ubuntu f release=focal arch=amd64 label=daily
$ virsh dominfo f
...
Security label: libvirt-
$ virsh shutdown f
Then make the start apparmor profile an empty file.
On Bionic/Focal that file will be non-existant by default (cleaned on guest stop), on Hirsute/Impish it will be around for admin-edit but with content. Therefore "touch" isn't enough every time, instead really put nothing to it as that is how the real issue looks like).
$ cat /dev/null | sudo tee /etc/apparmor.
# ensure it is size zero
$ ll /etc/apparmor.
-rw-r--r-- 1 root root 0 Nov 18 09:01 /etc/apparmor.
Next try to start the vm, it will try to use the file it found (instead of creating a new one as it would when non-existing) and will fail doing so:
$ virsh start f
error: internal error: Process exited prior to exec: libvirt: error : unable to set AppArmor profile 'libvirt-
To manually be able to start the vm again just delete the libvirt-<vm-uuid> file.
With the fix applied libvirt will recreate the file and guest start works again.
In addition (independent to the case) I'll run a set of common regression tests against <release>-proposed which didn't run for a while and would make us also spot if anything other slipped in from different places (like the dwarves hiccup we had). Since testing shall be on "the real build" and resources are limited I'd this time do so only on the builds in proposed.
[Regression Potential]
The new code is only active when the size of the file is zero which is a 100% guarantee that the guest is broken and won't start. Nevertheless if we made a mistake in the fix the area (of the many things libvirt does) to look at is the generating and usage of apparmor profiles.
[Other]
Similar reported bug : https:/
Related branches
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 106 lines (+84/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+76/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 106 lines (+84/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+76/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 106 lines (+84/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/series (+1/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+76/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 176 lines (+148/-0)4 files modifieddebian/changelog (+9/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+71/-0)
debian/patches/ubuntu/skip-new-pdwtags.patch (+66/-0)
- Sergio Durigan Junior (community): Approve
- Canonical Server packageset reviewers: Pending requested
- git-ubuntu import: Pending requested
-
Diff: 197 lines (+140/-0)6 files modifieddebian/changelog (+13/-0)
debian/control (+1/-0)
debian/libvirt-daemon-system.postinst (+8/-0)
debian/patches/series (+2/-0)
debian/patches/ubuntu/lp-1927519-virt-aa-helper-Purge-profile-if-corrupted.patch (+76/-0)
debian/patches/ubuntu/swtpm-by-swtpm-user.patch (+40/-0)
CVE References
Changed in libvirt (Ubuntu): | |
importance: | Undecided → Medium |
status: | New → Confirmed |
Changed in libvirt (Ubuntu Impish): | |
status: | New → Confirmed |
Changed in libvirt (Ubuntu Hirsute): | |
status: | New → Confirmed |
Changed in libvirt (Ubuntu Focal): | |
status: | New → Confirmed |
Changed in libvirt (Ubuntu Bionic): | |
status: | New → Confirmed |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu Focal): | |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu Hirsute): | |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu Impish): | |
importance: | Undecided → Medium |
Changed in libvirt (Ubuntu Jammy): | |
status: | Confirmed → In Progress |
description: | updated |
Changed in cloud-archive: | |
status: | New → Fix Committed |
Changed in cloud-archive: | |
status: | Fix Committed → Fix Released |
Changed in cloud-archive: | |
status: | Fix Released → Fix Committed |
Thanks Ioanna for the bug.
In our discussion that we already had I've suggested how to fix it in code and I think this still is a valid approach to harden against whatever was causing it in the first place.
After initial creation the file is meant to stay as-is to allow users
to do customization e.g. special apparmor rules that only apply to
this particular guest.
Now while we conceptionally allow edits, we could argue that a 0-byte
file always surely is a consequence of an error and in that case
regenerate it as if it would not have been there.
Currently creation only happens within
/* create the profile from TEMPLATE */
if (ctl->cmd == 'c') {
But we could move that out to a function and call it here as well as
on the ctl->cmd == 'r' path IF the file does a) not exist or b) is of
size zero.